Possible Kolab LDAP configuration information disclosure
Luca Villani
luca.villani at wseurope.com
Tue Apr 20 14:06:08 CEST 2004
Hi.
I think there is an information disclosure in slapd configuration file:
/var/origkolab/etc/openldap/slapd.conf
Here the rootdn password is stored in cleartext, like this:
rootpw "averystrongpassword"
A possible workaround is to invoke
/kolab/sbin/slappasswd
in order to manually generate an encrypted password, like this:
[root at democrito kolab]# ./sbin/slappasswd
New password:
Re-enter new password:
{SSHA}T++o7gQdMj1b1u4pjlJ57Ei0qbAbGje2
[root at democrito kolab]#
The clear text rootdn password in configuration file can be substituted with
the manually generated encrypted password, in this manner:
rootpw {SSHA}T++o7gQdMj1b1u4pjlJ57Ei0qbAbGje2
I do not tested this workaround, AFAYK are there some problems?
--
Luca Villani Wireless Solutions spa - DADA group
NOC manager Europe HQ, via Castiglione 25 Bologna
http://www.wseurope.com Tel: +39 051 2966826 Fax: +39 051 2966800
GPG public key available Mobile: +39 348 5298542 UIN: 76272621
More information about the users
mailing list